Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

privacy blocking iq should not stop stanzas sent by my server to me #2724

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

bartekgorny
Copy link
Collaborator

Previously, blocking all incoming iqs also cut off communication with the server, also in legitimate cases - like receiving an iq result from my own request. This is not required by XEP-0199, and it broke some features, like mod_ping. There was also a race condition - when a user sets a privacy lists, his c2s process routes two messages - iq result and a broadcast, which also sets the list in the same process. Whether the result came back or not, depended on which of these two messages was handled first.

This PR skips privacy checks for iq stanzas sent to a user by his own server account or by the server itself.

@mongoose-im
Copy link
Collaborator

mongoose-im commented Apr 29, 2020

8205.1 / Erlang 22.0 / small_tests / 544818e
Reports root / small


8205.2 / Erlang 22.0 / internal_mnesia / 544818e
Reports root/ big
OK: 1427 / Failed: 0 / User-skipped: 157 / Auto-skipped: 0


8205.4 / Erlang 22.0 / mysql_redis / 544818e
Reports root/ big
OK: 2651 / Failed: 0 / User-skipped: 213 / Auto-skipped: 0


8205.3 / Erlang 22.0 / odbc_mssql_mnesia / 544818e
Reports root/ big
OK: 2656 / Failed: 0 / User-skipped: 208 / Auto-skipped: 0


8205.5 / Erlang 22.0 / riak_mnesia / 544818e
Reports root/ big
OK: 1552 / Failed: 0 / User-skipped: 172 / Auto-skipped: 0


8205.7 / Erlang 22.0 / elasticsearch_and_cassandra_mnesia / 544818e
Reports root/ big
OK: 328 / Failed: 0 / User-skipped: 28 / Auto-skipped: 0


8205.6 / Erlang 22.0 / ldap_mnesia / 544818e
Reports root/ big
OK: 1366 / Failed: 0 / User-skipped: 218 / Auto-skipped: 0


8205.9 / Erlang 21.3 / pgsql_mnesia / 544818e
Reports root/ big / small
OK: 2669 / Failed: 0 / User-skipped: 195 / Auto-skipped: 0

@codecov
Copy link

codecov bot commented Apr 29, 2020

Codecov Report

Merging #2724 into master will increase coverage by 2.94%.
The diff coverage is 83.33%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #2724      +/-   ##
==========================================
+ Coverage   76.32%   79.27%   +2.94%     
==========================================
  Files         368      368              
  Lines       30510    30516       +6     
==========================================
+ Hits        23287    24191     +904     
+ Misses       7223     6325     -898     
Impacted Files Coverage Δ
src/mongoose_privacy.erl 90.47% <83.33%> (-2.86%) ⬇️
...c/global_distrib/mod_global_distrib_server_mgr.erl 79.14% <0.00%> (-2.46%) ⬇️
src/rdbms/mongoose_rdbms.erl 68.87% <0.00%> (-1.54%) ⬇️
src/ejabberd_local.erl 72.18% <0.00%> (-1.51%) ⬇️
src/mod_roster.erl 77.75% <0.00%> (-0.48%) ⬇️
src/ejabberd_sm.erl 75.31% <0.00%> (-0.32%) ⬇️
src/mod_muc_log.erl 77.69% <0.00%> (ø)
src/mod_muc_room.erl 77.41% <0.00%> (+0.05%) ⬆️
src/pubsub/mod_pubsub.erl 72.34% <0.00%> (+0.05%) ⬆️
src/mod_muc.erl 77.77% <0.00%> (+0.52%) ⬆️
... and 18 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fe5f5cb...5c2974c. Read the comment docs.

#jid{lserver = S} = _To,
_) -> allow;
%% do not bother checking if privacy list is empty
basic_check(_, _, _, #privacy{lists = []}) -> allow;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this doesn't get a #privacy{} record, but rather a #userlists{} one. It's on the specs of the caller, and also codecov shows this line as never hit, with is a sign 🤔

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

true

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, #userlists{lists = []} is already ignored in the handler in mod_privacy:check_packet/, in case you missed it. I'm not saying it's bad to duplicate logic, but maaybe it's worth giving it a thought 🤔

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

true, again. I'd put it here, though, if only for more visibility.

@bartekgorny bartekgorny requested a review from chrzaszcz April 30, 2020 08:42
@chrzaszcz
Copy link
Member

chrzaszcz commented Apr 30, 2020

Previously, blocking all incoming iqs also cut off communication with the server, also in legitimate cases - like receiving an iq result from my own request. This is not required by XEP-0199, and it broke some features, like mod_ping. There was also a race condition - when a user sets a privacy lists, his c2s process routes two messages - iq result and a broadcast, which also sets the list in the same process. Whether the result came back or not, depended on which of these two messages was handled first.

XEP-0199 is about Ping, the one for privacy lists is XEP-0016, which describes the IQ blocking feature in the following way:

Server-side privacy lists enable a user to block incoming IQ stanzas from other entities based on the entity's JID, roster group, or subscription status (or globally).

As an entity is a user OR any service, I don't see a reason to exclude any IQ stanzas from the blocking feature. I think that if we want to change this, we would need to get an opinion on the XSF mailing list first.

I am aware of the fact that Example 44 explicitly mentions "users", but the previous examples just mention "entities".

Regarding the race condition, could we add a test for it first and make sure this test fails randomly to prove that it really exists?

@bartekgorny
Copy link
Collaborator Author

XEP-0199 is about Ping, the one for privacy lists is XEP-0016,

Of course, my mistake.

As an entity is a user OR any service, I don't see a reason to exclude any IQ stanzas from the blocking feature. I think that if we want to change this, we would need to get an opinion on the XSF mailing list first.

Yup, this is exactly why I expected a discussion. The XEP doesn't specifically state which IQs should be blocked and which shouldn't, so there is a need for interpretation. The purpose of privacy lists is to avoid unwanted communication, like malicious users or servers. Blocking IQs from my own server in effect breaks some other xeps (like mod_ping), but also RFC 6120 (which says that the server should reply to an IQ with a result or an error) and RFC 6121 (roster push). Even more, it breaks the same XEP, which specifically states that if you edit a privacy list you should receive a iq result.

Having said that, I'm not opposed to consulting XSF if there is a need for it.

Regarding the race condition, could we add a test for it first and make sure this test fails randomly to prove that it really exists?

Not really, because the messages always arrived in the same order, so technically speaking it was not a race condition since one horse was winning it all the time. However, a minor change in code layout was sufficient to reverse the order, so the race must have been pretty tight.

@chrzaszcz
Copy link
Member

chrzaszcz commented Apr 30, 2020

Yup, this is exactly why I expected a discussion.

Let's have a discussion then, I think the best place for it would be a tech meeting, but the opinion on the XSF mailing list would be also very valuable.

@Neustradamus

This comment was marked as spam.

@bartekgorny
Copy link
Collaborator Author

@chrzaszcz @NelsonVides Can we get back to this one? To me it seems still valid, though if you guys decide otherwise we can close this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants